Starting Cobalt Strike

The Team Server

Cobalt Strike is split into a client and a server component. The server, referred to as the team server, is
the controller for the Beacon payload and the host for Cobalt Strike’s social engineering features. The team
server also stores data collected by Cobalt Strike and it manages logging.

The Cobalt Strike team server must run, as root, on a supported Linux
system. To start a Cobalt Strike team server, use the teamserver script included with the Cobalt Strike
Linux package.

The team server has two mandatory parameters and two optional parameters. The first is the
externally reachable IP address of the team server. Cobalt Strike uses this value as a default host
for its features. The second is the password your team members will use to connect the Cobalt
Strike client to the team server.

The third parameter is optional. This parameter specifies a Malleable C2 Communication Profile.

The fourth parameter is also optional. This parameter specifies a kill date in YYYY-MM-DD
format. The team server will embed this kill date into each Beacon stage it generates. The Beacon
payload will refuse to run on or after this date. The Beacon payload will also exit if it wakes up
on or after this date as well.

When the team server starts, it will publish a SHA256 hash of the team server’s SSL certificate. You should
distribute this hash to your team members. When your team members connect, their Cobalt Strike client will ask
if they recognize this hash before it authenticates to the team server. This is an important protection
against man-in-the-middle attacks.

The Cobalt Strike Client

The Cobalt Strike client connects to the team server. To start the Cobalt Strike client, use the launcher
included with your platform's package. The launcher takes no arguments.

You will see a connect dialog when the Cobalt Strike client starts.

Specify your team server's address in the Host field. The default Port for the team server is 50050.
There's rarely a reason to change this. The User field is your nickname on the team server. Change this to
your call sign, handle, or made-up hacker fantasy name. The Password field is the shared password for the team
server.

Press Connect to connect to the Cobalt Strike team server.

If this is your first connection to this team server, Cobalt Strike will ask if you recognize the SHA256 hash
of this team server's SSL certificate. If you do, press OK, and the Cobalt Strike client will connect to the server. Cobalt
Strike will also remember this SHA256 hash for future connections. You may manage these hashes through Cobalt
Strike -> Preferences -> Fingerprints.

Cobalt Strike keeps track of the team servers you connect to and remembers your information. Select
one of these team server profiles from the left-hand-side of the connect dialog to populate the connect dialog
with its information. You may also prune this list through Cobalt Strike -> Preferences -> Team Servers.